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IN THE CLAIMS: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

LISTING OF CLAIMS: 

1 . (currently amended) In a network having a plurality of security perim e t e r rout e r s , 
a A method for determining packets to be discarded in response to a distributed denial-of- 
service (DDoS) attack, said method comprising the st e ps of : 

confirming a DDoS attack at a network location using a plurality of packet 
attribute values aggregated from said a plurality of routers forming a security perimeter 
of a network ; 

computing an aggregate conditional probability measure for each packet entering 
said location based on selected attributes included within said packet from each of said 
plurality of security perimeter routers router; 

computing an aggregate cumulative distribution function (CDF) of scores based 
on said computed aggregate conditional probability measures; 

determining a discarding threshold using said cumulative probability function; 

and 

sending said discarding threshold to each of said plurality of security perimeter 

routers. 

2. (currently amended) The method of claim 1, wherein said step of computing an 
aggregate conditional probability measure further comprises: includes th e steps of 

updating an individual marginal probability mass function and a joint probability 
mass function for attributes carried by each said packet. 

3. (currently amended) The method of claim 1, further comprising: including the 
step of granting immunity to packets of a specified sub-type entering said 
location. 

630899-1 



Serial No. 10/723,450 
Page 9 of 25 

4. (currently amended) The method of claim 1, wherein said aggregate conditional 
probability measure is computed in accordance with the following equation: 



where: p„ is currently measured utilization of a system; 
p„ is nominal utilization of the system; 
A. B, C ... is a set of packet attributes; 

JPn (A, B, C, is a joint probability mass function of the set of attributes under 
normal traffic conditions: 

JP™ (A, B, C, ..J is the joint probability mass function of the set of attributes 
measured under current traffic conditions; and 

a, b, c, ... are the particular values that the attributes A, B, C, ... take. 

5. (currently amended) The method of claim 1, wherein said aggregate conditional 
probability measure is computed in accordance with the following equation: 



where: is currently measured utilization of a system; 
Pn is nominal utilization of the system; 
A. B, and C is a set of packet attributes; 

P„ (A, B. C) is a marginal probability mass function of the set of attributes under 
normal traffic conditions: 

Prn (A, B, C) is the marginal probability mass function of the set of attributes 
measured under current traffic conditions; and 

a, b, and c. are the particular values that the attributes A, B, and C take. 



CP{p) = 



Pn JP n (A = a p ,B = b p ,C = c p ,-) 
P m JP m (A = a p ,B = b p ,C = c p ,-) 



CP(p) = 



PM = a p ) P n (B = b p ) P n (C = c p ) 
P m ' P m (A = a p )' P m (B = b p )' P m (C = c p ) 
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6. (original) The method of claim 1, wherein said discarding threshold is calculated 
using a load shedding algorithm, combined with an inverse lookup on the aggregate CDF 
of scores. 

7. (original) The method of claim 2, wherein said joint and marginal probability 
functions are maintained using iceberg-style histograms. 

8. (currently amended) In a n e twork comprising a centraliz e d controller and a 
plurality of routers forming a security p e rimeter, a A method for selectively discarding 
packets during a distributed denial-of-service (DDoS) attack over said a network, 
comprising: 

aggregating , in said network comprising a centralized controller and a plurality of 
routers forming a security perimeter, victim destination prefix lists and attack statistics 
associated with incoming packets received from said plurality of security perimeter 
routers to confirm a DDoS attack victim; 

aggregating packet attribute distribution frequencies for incoming victim related 
packets received from said plurality of security perimeter routers; 

generating common scorebooks from said aggregated packet attribute distribution 
frequencies and nominal traffic profiles; 

aggregating local cumulative distribution function (CDF) of the local scores 
derived from said plurality of security perimeter routers; and 

providing, to each of said plurality of security perimeter routers, a common 
discarding threshold, said discarding threshold defining a condition in which an incoming 
packet may be discarded at said security perimeter. 

9. (currently amended) The method of claim 8 A wherein said aggregating local 
victim destination prefix lists and attack statistics ef associated with incoming packets 
comprises: 

comparing measured attribute values to nominal traffic attribute values for packet 
traffic sent to a particular destination to nominal traffic attribute values ; and 
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identifying increases in said measured attribute values over said nominal traffic 
attribute values. 

10. (currently amended) The method of claim 9, wherein said confirming said DDoS 
attack victim of said DDoS attack comprises determining if said identified increases for 
said measured attribute values exceed respective predetermined thresholds. 

11. (currently amended) The method of claim 8, wherein said local victim destination 
prefix list and attack statistics comprise at least one of packets per second (pps), bits per 
second (bps), flow counts, and flow rates of incoming packets. 

12. (original) The method of claim 8, wherein said aggregating packet attribute 
distribution frequencies for incoming victim related packets comprises: 

receiving packet attribute distribution frequencies from said plurality of security 
perimeter routers, said packet attribute distribution frequencies including incoming 
packet attribute information comprising at least one of: IP protocol-type values, packet 
size, source/destination port numbers, source/destination IP prefixes, Time-to-Live (TTL) 
values, IP/TCP header length, TCP flag combinations, use IP fragmentation, and 
incorrect packet protocol checksums. 

13. (original) The method of claim 8, wherein said aggregating packet attribute 
distribution frequencies for incoming victim related packets comprises: 

receiving packet attribute distribution frequencies from said plurality of security 
perimeter routers routers, said packet attribute distribution frequencies including 
incoming packet attribute information comprising joint distribution of the fraction of 
packets having various combinations of Time-to-Live (TTL) values and source IP prefix, 
packet-size and protocol-type, and destination port number and protocol-type. 

14. (original) The method of claim 13, wherein said receiving packet attribute 
distribution frequencies comprises receiving iceberg-style histograms comprising said 
incoming packet attribute information. 



630899-1 



Serial No. 10/723,450 
Page 12 of 25 

15. (original) The method of claim 8, wherein said generating common scorebooks 
comprises: 

computing partial scores of different attributes; and 

computing a weighted sum of said partial scores to yield a logarithmic function of 
conditional legitimate probability for each incoming packet. 

16. (original) The method of claim 8, wherein said common discarding threshold 
comprises: 

performing a load-shedding algorithm to determine a fraction (%pd) of arriving 
suspicious packets required to be discarded; and 

performing an inverse lookup on the aggregate CDF of scores. 

17. (original) The method of claim 16, where at each of said plurality of security 
perimeter routers, said method further comprises: 

determining whether a score of an incoming packet is less than or equal to said 
discarding threshold; 

discarding said incoming packet in an instance said score is less than or equal to 
said discarding threshold; and 

forwarding said incoming packet for routing to destination in an instance said 
score is greater than to said discarding threshold. 

18. (currently amended) A method for selectively discarding packets at a plurality of 
rout e rs forming a security perimeter of a network during a distributed denial-of-service 
(DDoS) attack over [[a]] said network, each of said routers comprising th e steps of : 

sending , from each of a plurality of routers forming said security perimeter, 
victim destination prefix list and attack statistics associated with incoming packets to a 
centralized controller adapted to confirm a victim of said DDoS attack; 

sending , from each of said plurality of security perimeter routers, packet attribute 
distribution frequencies for incoming victim related packets; 
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receiving, at each of said plurality of security perimeter routers from said 
centralized controller, common scorebooks formed by using aggregated packet attribute 
distribution frequencies and nominal traffic profiles; 

sending , from each of said plurality of security perimeter routers, a local 
cumulative distribution function (CDF) of scores to said centralized controller; and 

discarding , at each of said plurality of security perimeter routers, incoming 
packets based on a commonly distributed discarding threshold defined by said centralized 
controller. 

19. (original) The method of claim 18, further including the step of classifying said 
incoming packets as being one of suspicious and non-suspicious packets based on a 
destination address of said incoming packet. 

20. (original) The method of claim 19, wherein said local victim destination prefix list 
and attack statistics comprise at least one of packets per second (pps), bits per second 
(bps), flow counts, and flow rates of incoming packets. 

21. (original) The method of claim 19, wherein said sending packet attribute 
distribution frequencies comprises monitoring packet attribute distribution frequencies 
including incoming packet attribute information comprising at least one of IP protocol- 
type values, packet size, source /destination port numbers, source/destination IP prefixes, 
Time-to-Live (TTL) values, IP/TCP header length, TCP flag combinations, use IP 
fragmentation, and incorrect packet protocol checksums. 

22. (original) The method of claim 21, wherein said packet attribute distribution 
frequencies are sent in a form of iceberg-style histograms. 

23. (original) The method of claim 20, wherein said sending a local cumulative 
distribution function (CDF) of scores comprises: 
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determining a predetermined number of incoming packets to monitor; 

for each incoming packet of said predetermined number of incoming packets: 

determining attribute scores from said received scorebooks; and 

locally aggregating said scores; and 

forming said CDF from said aggregated scores associated with said predetermined 
number of incoming packets. 

24. (original) The method of claim 19 wherein said commonly distributed discarding 
threshold comprises: 

a fraction (%pd) of arriving suspicious packets associated with an aggregated CDF 
from all of said routers. 

25. (original) The method of claim 23, wherein said discarding said incoming packets 
comprises: 

determining whether a score of an incoming packet is less than or equal to said 
discarding threshold; 

discarding said incoming packet in an instance said score is less than or equal to 
said discarding threshold; and 

forwarding said incoming packet for routing to destination in an instance said 
score is greater than to said discarding threshold. 

26. (currently amended) In a network having a plurality of security p e rimeter routers 
and a A centralized controller for determining packets to be dropped in regard to a 
potential distributed denial-of-service (DDoS) attack at a location within a packet 
network, said centralized controller comprising: 

means for aggregating a plurality of packet attribute values respectively received 
from said a plurality routers forming a security perimeter of a network to confirm said 
attack at said location , wherein said centralized controller is associated with said 
network ; 
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means for computing an aggregate conditional probability measure for each 
packet entering said location based on selected attributes included within said packet 
from each location; 

means for computing an aggregate cumulative distribution function (CDF) based 
on said computed aggregate conditional probability measures; 

means for determining a drop threshold based on access to said cumulative 
probability function; and 

means for sending said drop threshold to each of said plurality of security 
perimeter routers, wherein each of said plurality of security perimeter routers are is 
adapted to pass through packets^ that exceed said determined drop thresholds to said 
location. 

27. (currently amended) In a n e twork having a plurality of s e curity perimet e r rout e rs 
and a A centralized controller for determining packets to be dropped in regard to a 
potential distributed denial-of-service (DDoS) attack at a location within a packet 
network, said centralized controller comprising: 

means for aggregating, local victim destination prefix lists and attack statistics 
associated with incoming packets received from a plurality of routers of a network 
forming a security perimeter in said network^ to confirm a victim of said DDoS attack^ 
wherein said centralized controller is associated with said network ; 

means for aggregating packet attribute distribution frequencies for incoming 
victim related packets received from said plurality of security perimeter routers; 

means for generating common scorebooks from said aggregated packet attribute 
distribution frequencies and nominal traffic profiles; 

means for aggregating local cumulative distribution function (CDF) of the local 
scores derived from said plurality of security perimeter routers; and 

means for providing, to each of said plurality of security perimeter routers, a 
common discarding threshold, said discarding threshold defining a condition in which an 
incoming packet may be discarded at said security perimeter. 
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28. (currently amended) In-a A network having comprising: 
a plurality of security p e rimeter routers and 

a centralized controller for determining packets to be dropped in regard to 
a potential distributed denial-of-service (DDoS) attack at a location within a 
packet network^ ; and 

a plurality of security perimeter routers wherein each of said security 
perimeter routers comprises comprising : 

means for sending victim destination prefix lists and attack 
statistics associated with incoming packets to a said centralized controller 
adapted to confirm a victim of said DDoS attack; 

means for sending to said centralized controller p acket attribute 
distribution frequencies for incoming victim related packets; 

means for receiving, from said centralized controller, common 
scorebooks formed by aggregated packet attribute distribution frequencies 
and nominal traffic profiles; 

means for sending a local cumulative distribution function (CDF) 
of scores to said centralized controller; and 

means for discarding incoming packets based on a commonly 
distributed, to said plurality of security perimeter routers, discarding 
threshold defined by said centralized controller. 
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